> Did you actually try his example?
No, I could not understand it. Now I see why:
1) Where would the "experienced hacker" enter the attack? Now I see
that it is the URL of the attacked site. That was not clear, I though
that it was being entered into some form element that I did not see in
2) I thought that yoursite.com is the attacked site, and mysite.com is
the attacking site. Now I see that the author just messed up and they
both should have been yoursite.com.
Why not just use SCRIPT_NAME then? It doesn't contain the path variables.